<!DOCTYPE html>
<html lang="en">
  <head>
    <link rel="stylesheet" type="text/css" href="/css/style.css?v=3" />
    <link rel="stylesheet" type="text/css" href="/css/fontello.css?v=2" />
    <link rel="stylesheet" type="text/css" href="/css/themes/nitter.css" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#ff6c60" />
    <link rel="search" type="application/opensearchdescription+xml" title="nitter" href="https://nitter.net/opensearch" />
    <title>Agentless Linux Security - Craig Rowland (@CraigHRowland): &quot;More on this Linux stealth malware below.&quot; | nitter</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta property="og:type" content="article" />
    <meta property="og:title" content="Agentless Linux Security - Craig Rowland (@CraigHRowland)" />
    <meta property="og:description" content="More on this Linux stealth malware below." />
    <meta property="og:site_name" content="Nitter" />
    <meta property="og:locale" content="en_US" />
    <link rel="preload" type="font/woff2" as="font" href="/fonts/fontello.woff2?21002321" crossorigin="anonymous" />
  </head>
  <body>
    <nav><div class="inner-nav">
        <div class="nav-item"><a class="site-name" href="/">nitter</a></div>
        <a href="/"><img class="site-logo" src="/logo.png" /></a>
        <div class="nav-item right">
          <div class="icon-container"><a class="icon-search" title="Search" href="/search"></a></div>
          <div class="icon-container"><a class="icon-bird" title="Open in Twitter" href="https://twitter.com/CraigHRowland/status/1422009387686645761"></a></div>
          <a href="https://liberapay.com/zedeus"><svg class="lp" viewBox="0 0 40.6 52.3">
  <g transform="matrix(0.83,0,0,0.83,-158,-261)">
    <path d="m202.5,366c-3.1 0-5.5-0.4-7.3-1.2-1.8-0.8-3-1.9-3.8-3.3-0.8-1.4-1.1-3-1.1-4.8 0-1.8 0.3-3.7 0.8-5.8l8.3-34.8 10.2-1.6-9.1 37.8c-0.2 0.8-0.3 1.5-0.3 2.2 0 0.7 0.1 1.2 0.4 1.7 0.3 0.5 0.7 0.9 1.3 1.2 0.6 0.3 1.5 0.5 2.7 0.6l-2 8.1"/>
    <path d="m239.2 344.3c0 3.2-0.5 6.1-1.6 8.8-1 2.6-2.5 4.9-4.4 6.9-1.9 1.9-4.1 3.4-6.7 4.5-2.6 1.1-5.4 1.6-8.5 1.6-1.5 0-3-0.1-4.5-0.4l-3 11.9h-9.7l10.9-45.4c1.7-0.5 3.7-1 6-1.4 2.3-0.4 4.7-0.6 7.3-0.6 2.4 0 4.6 0.4 6.3 1.1 1.8 0.7 3.2 1.8 4.4 3 1.1 1.3 2 2.8 2.5 4.5 0.5 1.7 0.8 3.6 0.8 5.5m-23.8 13.4c0.7 0.2 1.7 0.3 2.8 0.3 1.7 0 3.3-0.3 4.7-1 1.4-0.6 2.6-1.5 3.6-2.7 1-1.1 1.7-2.5 2.3-4.1 0.5-1.6 0.8-3.4 0.8-5.3 0-1.9-0.4-3.5-1.2-4.8-0.8-1.3-2.3-2-4.3-2-1.4 0-2.7 0.1-3.9 0.4l-4.6 19.1"/>
  </g>
</svg>
</a>
          <div class="icon-container"><a class="icon-info" title="About" href="/about"></a></div>
          <form class="icon-button" method="get" action="/settings">
            <input name="referer" value="/CraigHRowland/status/1422009387686645761#m" style="display: none; " />
            <button type="submit"><div class="icon-container"><span class="icon-cog" title="Preferences"></span></div></button>
          </form>
        </div>
      </div></nav>
    <div class="container"><div class="conversation">
        <div class="main-thread">
          <div id="m" class="main-tweet"><div class="timeline-item thread thread-line"><div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1422009387686645761#m" title="2/8/2021, 01:40:32">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">More on this Linux stealth malware below.</div>
                <div class="quote quote-big">
                  <a class="quote-link" href="/CraigHRowland/status/1421981128584351746#m"></a>
                  <div class="tweet-name-row">
                    <div class="fullname-and-username">
                      <img class="avatar mini" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_mini.jpg" />
                      <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                      <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                    </div>
                    <span class="tweet-date"><a href="/CraigHRowland/status/1421981128584351746#m" title="1/8/2021, 23:48:14">Aug 1</a></span>
                  </div>
                  <div class="quote-text" dir="auto">We found unknown Linux stealth malware using ld preload library to hide. It hid from a dynamically linked EDR product because it inserted its library first. Dynamically linked EDR is not reliable. All EDR and IR tools should be statically built for Linux. This is what we found.</div>
                  <a class="show-thread" href="/CraigHRowland/status/1421981128584351746#m">Show this thread</a>
                  <div class="quote-media-container"><div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FE7vkFgGUYAAHPML.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vkFgGUYAAHPML.png%3Fname%3Dsmall" alt="" /></a></div></div></div></div>
                </div>
                <p class="tweet-published">1:40 AM · Aug 2, 2021</p>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 4</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 49</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 124</div></span>
                </div>
              </div></div></div>
          <div class="after-tweet thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1422009393596436481#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1422009393596436481#m" title="2/8/2021, 01:40:33">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Modified /etc/ld.so.preload to point to a malicious library to intercept system calls. The file was /lib/libcurl.so.2.17.0 and was not known by VirusTotal. The /etc/ld.so.preload file contents was being hidden from system commands. It was marked immutable to make removal harder.</div>
                <div class="attachments">
                  <div class="gallery-row" style="">
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FE7vvQ6zVoAMPrCk.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vvQ6zVoAMPrCk.jpg%3Fname%3Dsmall" alt="" /></a></div>
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FE7vv8-LVgAMxMHU.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vv8-LVgAMxMHU.jpg%3Fname%3Dsmall" alt="" /></a></div>
                  </div>
                  <div class="gallery-row" style="margin-top: .25em; ">
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FE7vwkC5VcAMAoab.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vwkC5VcAMAoab.jpg%3Fname%3Dsmall" alt="" /></a></div>
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FE7vwlqlVUAQBCTG.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vwlqlVUAQBCTG.jpg%3Fname%3Dsmall" alt="" /></a></div>
                  </div>
                </div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 10</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1422009398923169792#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1422009398923169792#m" title="2/8/2021, 01:40:35">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">We unmasked the file contents here. You can see the path and creation dates.</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FE7vw3DJVIAQdsQu.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vw3DJVIAQdsQu.png%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 8</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1422009403738189824#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1422009403738189824#m" title="2/8/2021, 01:40:36">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">There were two processes started that watchdogged each other: kthreadd and bioset. Kthreadd was a well known cryptominer. Bioset was a controller process and was known by one vendor in VT. Both processes were packed/immutable. Also hidden from system commands from reading, etc.</div>
                <div class="attachments"><div class="gallery-row" style="">
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FE7vxSrKVEAAnK5F.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vxSrKVEAAnK5F.jpg%3Fname%3Dsmall" alt="" /></a></div>
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FE7vxXJBVUAYgubw.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vxXJBVUAYgubw.jpg%3Fname%3Dsmall" alt="" /></a></div>
                  </div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 8</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1422009408410710017#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1422009408410710017#m" title="2/8/2021, 01:40:37">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Malicious SSH keys were inserted under root's authorized_keys. These files likewise made immutable and masked from reading by system commands. We were able to see this key and it could be used to search other systems for infection.</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FE7vxvV2VgAQs66A.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vxvV2VgAQs66A.jpg%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 8</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1422009412818857985#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1422009412818857985#m" title="2/8/2021, 01:40:38">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">The malware also had a keen interest in preserving /etc/ld.so.preload with both malicious processes keeping this file open when running. Any attempt to read or modify this file was blocked with system commands. A view of raw file descriptors show what is going on.</div>
                <div class="attachments"><div class="gallery-row" style="">
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FE7vyQUKUcAMormu.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vyQUKUcAMormu.jpg%3Fname%3Dsmall" alt="" /></a></div>
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FE7vy9JSVoAEkQod.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FE7vy9JSVoAEkQod.jpg%3Fname%3Dsmall" alt="" /></a></div>
                  </div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 8</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item thread-last ">
              <a class="tweet-link" href="/CraigHRowland/status/1422009414811144196#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1422009414811144196#m" title="2/8/2021, 01:40:38">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">If you want to find this malware, look at your /etc/ld.so.preload file. Can you see it? Can you cat it? If not, then something is protecting it and you might want to find out what it is.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 4</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 23</div></span>
                </div>
              </div>
            </div>
          </div>
        </div>
        <div id="r" class="replies">
          <div class="reply thread thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/timb_machine/status/1422087387031687170#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/timb_machine"><img class="avatar" src="/pic/profile_images%2F68168727%2F2007061702-debconf_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/timb_machine" title="Tim Brown">Tim Brown</a>
                        <a class="username" href="/timb_machine" title="@timb_machine">@timb_machine</a>
                      </div>
                      <span class="tweet-date"><a href="/timb_machine/status/1422087387031687170#m" title="2/8/2021, 06:50:28">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/CraigHRowland">@CraigHRowland</a></div>
                <div class="tweet-content media-body" dir="auto">Do ypu have a more "formal" writeup with hashes etc?</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 0</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1422110054493261824#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1422110054493261824#m" title="2/8/2021, 08:20:33">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Will do something. I found an older write-up of what looks like an earlier variant on a Chinese security site. The hashes for this version are all different and I don't recommend using hashes to search for Linux malware.

<a href="https://github.com/bg6cq/ITTS/blob/master/security/mine/README.md">github.com/bg6cq/ITTS/blob/m…</a></div>
                <div class="card large"><a class="card-container" href="https://github.com/bg6cq/ITTS/blob/master/security/mine/README.md">
                    <div class="card-image-container"><div class="card-image"><img src="/pic/card_img%2F1471937509865099264%2FpbK50Fv-%3Fformat%3Djpg%26name%3D600x600" alt="" /></div></div>
                    <div class="card-content-container"><div class="card-content">
                        <h2 class="card-title">ITTS&#x2F;README.md at master · bg6cq&#x2F;ITTS</h2>
                        <p class="card-description">Campus IT Technical Specifications. Contribute to bg6cq&#x2F;ITTS development by creating an account on GitHub.</p>
                        <span class="card-destination">github.com</span>
                      </div></div>
                  </a></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 6</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item more-replies"><a class="more-replies-text" href="/CraigHRowland/status/1422110054493261824#m">more replies</a></div>
          </div>
          <div class="reply thread thread-line"><div class="timeline-item thread-last ">
              <a class="tweet-link" href="/Purp1eW0lf/status/1422215832378171395#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/Purp1eW0lf"><img class="avatar" src="/pic/profile_images%2F1460706856498876427%2FluRd5jYS_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/Purp1eW0lf" title="Dray Agha">Dray Agha</a>
                        <a class="username" href="/Purp1eW0lf" title="@Purp1eW0lf">@Purp1eW0lf</a>
                      </div>
                      <span class="tweet-date"><a href="/Purp1eW0lf/status/1422215832378171395#m" title="2/8/2021, 15:20:52">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/CraigHRowland">@CraigHRowland</a></div>
                <div class="tweet-content media-body" dir="auto">Would you be kind enough to share a copy of the malware itself? 🔎🔎🔎</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 0</div></span>
                </div>
              </div>
            </div></div>
          <div class="reply thread thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/_malwarez/status/1422228387935006724#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/_malwarez"><img class="avatar" src="/pic/profile_images%2F1064928804571922432%2FCWQIJu8n_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/_malwarez" title="Able Archer">Able Archer</a>
                        <a class="username" href="/_malwarez" title="@_malwarez">@_malwarez</a>
                      </div>
                      <span class="tweet-date"><a href="/_malwarez/status/1422228387935006724#m" title="2/8/2021, 16:10:46">Aug 2</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/CraigHRowland">@CraigHRowland</a></div>
                <div class="tweet-content media-body" dir="auto">Thanks for sharing (and not sharing certain things). For file immutability, can you share if the actor used built-in GNU commands to achieve this (e.g. chatter?) or this was implemented "natively" with a syscall or something similar? Always appreciate your findings.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 1</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item thread-last ">
              <a class="tweet-link" href="/CraigHRowland/status/1422398129106653188#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1422398129106653188#m" title="3/8/2021, 03:25:15">Aug 3</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">I didn't get the initial compromise script so I can't say. I would need to look more closely at the binary to see if it's done in the code but haven't looked for it.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 1</div></span>
                </div>
              </div>
            </div>
          </div>
        </div>
        <div class="top-ref"><div class="icon-container"><a class="icon-down" title="" href="#m"></a></div></div>
      </div></div>
  </body>
</html>